The Internet has been plagued by a variety of security threats over the past several years. The security menace on the Internet is exacerbated as more professionals are getting into this lucrative business. Attacks are also getting more sophisticated, as the attackers are not merely interested in achieving publicity. The low rate TCP Denial of Service (DoS) attack is one such intelligent attack, which was first explained in A. Kuzmanovic and E. Knightly, “Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants),” Proceedings of ACM SIGCOMM 2003, Kalrushe, Germany, August 2003, pp. 75-86. A low rate DoS attack is typically illustrated by a periodic waveform shown in FIG. 1. T is the time period, t is burst period, and R is the burst rate.
A low rate TCP DoS attack exploits widely implemented minimum RTO (retransmission timeout) property of the TCP protocol. The following characterize a low rate TCP DoS attack:
It sends periodic bursts of packets at one-second intervals.
The burst rate is equal to or greater than the bottleneck capacity.
The burst period is tuned to be equal to the round-trip times of the TCP connections. The burst period determines whether the attack will cause DoS to the TCP connections with small or long round trip times.
The exponential back off algorithm of the TCP's retransmission mechanism is eventually exploited.
In a Reduction of Quality (RoQ) attack, the attacker sends high rate short bursts of the attack traffic at random time periods, thereby forcing the adaptive TCP traffic to back-off due to the temporary congestion caused by the attack bursts. In particular, the periodicity is not well defined in a RoQ attack, thus allowing the attacker to keep the average rate of the attack traffic low to evade the regulation of adaptive queue management (AQM) like random early detection (RED) and RED-PD (Preferential Dropping). RED detects congestion at early stages by monitoring the average queue length. RED-PD is another AQM scheme that regulates the long-lived flows, which occupy most of the bandwidth in the Internet. By sending the attack traffic, the RoQ attack introduces transients and restricts the router queue from reaching the steady state. The open knowledge of these stealthy attacks presses for early fixes. For simplicity, the term “low rate DoS attack” refers to both the low rate TCP DoS and RoQ attacks, unless otherwise stated.
The threat imposed by the low rate DoS attacks which use IP address spoofing, and the low rate DoS attack model using botnets is significant. Owing to the open nature of the Internet, IP address spoofing can still evade ingress and egress filtering techniques at many sites. A low rate DoS attack can use IP address spoofing in a variety of ways like random IP address spoofing and continuous IP address spoofing. The use of IP address spoofing most importantly divides the high rate of a single flow during the burst period of the attack among multiple flows with spoofed identities. This way, an attacker can evade detection systems that concentrate on finding anomalous traffic rate. The detection systems that rely on identifying periodicity of the low rate DoS attack in the frequency domain can detect the periodicity, but they fail to filter the attack traffic as it is difficult to know the IP addresses that an attacker will use in the future. This problem is further exacerbated by the use of botnets; a botnet is a network of compromised real hosts across the Internet controlled by a master. As an attacker using botnets can control thousands of hosts, it can easily use these hosts to launch a low rate DoS attack like a low rate DoS attack that uses random or continuous IP address spoofing. Now, with the use of botnets, the IP addresses (of compromised hosts) are not spoofed and so these packets cannot be filtered by spoofing prevention techniques. In fact, these attack packets are similar to the HTTP flows. Thus, the objective is to detect a low rate DoS attack that can deploy different IP address spoofing techniques, and then filter the attack traffic. In a low rate DoS attack, an attacker usually targets the network element which is a router. The low rate DoS attacks launched by using botnets can behave like normal connections and can go undetected by prior systems which can, however, be used to regulate and limit both the legitimate and attack traffic. These attacks are similar to the low rate DoS attacks that use continuous IP address spoofing. The possibility of an attacker using UDP packets to launch a low rate DoS attack always exists, and prior systems do not provide a provision to mitigate such threat from UDP packets. An attacker can use aggregate UDP traffic coming from many networks to launch a low rate DoS attack. There is a need to detect and mitigate these problems and related issues.